An intrusion detection system (IDS) is a system devised to detect many types of malicious network traffic that can't be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, unauthorized logins, access to sensitive files, viruses, Trojan horses, and worms.
An IDS comprises sensors which generate security events and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. In a host-based system, the sensor usually consists of a software agent, which monitors activity of the host on which it is installed and identifies intrusions.
An intrusion prevention system (IPS) responds to a suspicious activity by resetting a connection or by reprogramming a firewall to block network traffic from the suspected malicious source either automatically or in response to a command of an operator. This is traditionally achieved by examining network communications and identifying patterns (known as signatures) of common computer attacks using a process known as “deep packet inspection” (DPI). DPI is a process of packet filtering where the data content of a packet, not just the packet's header, is examined to determine if the packet meets predefined criteria. An examined packet may be modified, discarded, redirected, or marked. A DPI device may also identify data flows.
A host intrusion prevention system (HIPS) prevents malicious behavior from occurring on a host (server or desktop computer). Unlike Network intrusion prevention system (NIPS), HIPS uses software-based filters, and the filters are deployed on the host itself, closest to the applications and data to be protected. Each filter, when added to the HIPS, incrementally adds to the load of the system as a whole, resulting in slowing down the operation of the system.
Accordingly, there is a need in the industry for developing a method for optimally provisioning filters to each host supported by HIPS and determining whether a filter can be removed from a host security configuration. There is also a need for minimizing the resulting processing effort while ensuring appropriate filter provisioning.